Thanks: 
Likes: Just be sure to test. Getting the NTFS permissions right the first few times usually trips people up.
Dislikes: 0
Just be sure to test. Getting the NTFS permissions right the first few times usually trips people up.
rthonpm was right, "access based enumeration" tripped me up at first. I found a good training video on it and was able to get it down. It's pretty cool because you don't always want everyone on the network to see a shared folder. This will come in very handy.
This won't hide the share, but it will hide some, or all, of the contents. The permissions for the share should be as wide as possible (the standard is usually Read for Domain Users) and then the permissions on the folders are more granular, so while everyone may see the share, only specific people will see something other than an empty share, or only see certain folders. Samba also allows for this, though the process is much more complicated and easier to break so I don't recommend it for anything other than Windows servers.Originally Posted by BillyCarpenter
The advantage is also that hidden shares are only recognised by Windows: any Mac or Linux client will still be able to list shares that to Windows would be hidden.
Sent from my BlackBerry using Tapatalk
Sorry, I misspoke. You're correct, it doesn't hide the share. But it will/can hide the subfolders inside the share depending on the permission level granted. I think the rule is that a user must at least have "read" permission or they won't be able to see the folder.
PS - I just verified it...the user must at least have "read" permission to see the subfolder. Of course, you can up the permission level depending on what you want to allow the user to do.
Did I explain that correctly? Just curious.
The way you get it to work is to remove inheritance from any subfolder you create and then grant NTFS permissions as needed. You're correct that the minimum permission to see a folder is Read, but that goes for any folder in any OS. You can also get more detailed down to the level of allowing people to modify the contents of a folder, but not the folder itself. I've had to do this in the past when a customer kept trying to move a folder in the root of the share inside another one, essentially cutting off access to it for others who didn't have access to the folder it was moved to.Sorry, I misspoke. You're correct, it doesn't hide the share. But it will/can hide the subfolders inside the share depending on the permission level granted. I think the rule is that a user must at least have "read" permission or they won't be able to see the folder.
PS - I just verified it...the user must at least have "read" permission to see the subfolder. Of course, you can up the permission level depending on what you want to allow the user to do.
Did I explain that correctly? Just curious.
Here's the setup I did recently for a company for scan to folder (to keep it in the copier world):
Shared folder: Scans. Shared as Read to all domain users.
Subfolders:
Bob
Chris
Mark
Michelle
Neil
Pete
Sandra
Sharon
Tammy
Each folder had NTFS inheritance removed and were permissioned so that only two accounts had permissions to each folder. The user has Modify permissions, and the AD account used for scanning has Read/Write.
Never under any circumstances give a standard user account Full Control as this allows for changing the permissions on contents. Nothing like trying to rebuild permissions on huge folders because of a disgruntled employee.
Sent from my BlackBerry using Tapatalk
You kinda of lost me when you said to remove the inheritance from the subfolders. I'm gonna have to think about that for a minute.
Here's the way I did it.
I created a folder and named it "datashare".
I removed the inheritance from that shared folder. I then removed "users" from permissions. I then add the users that I wanted to have permission to this share but I only grated them permission to "this folder only".
In other words, the users will not be able to see any subfolders that I add to the share unless I grant them at least read permission.
I probably did a terrible job of explaining it. Here's the video that I watched:
By the way, rthonpm is MUCH more advanced than me when it comes to anything to do with Windows Server. I've learned a lot from him just now. He gave some great advice when he said this:
Never under any circumstances give a standard user account Full Control as this allows for changing the permissions on contents. Nothing like trying to rebuild permissions on huge folders because of a disgruntled employee.
This wouldn't have occurred to me because I lack experience in running into this scenario. But I will not forget this advice. Thanks.
You did it exactly as you should. You don't want any accounts or groups having access to the subfolders except Administrators, SYSTEM, and the groups/user(s) you want.
The general breakdown for basic NTFS permissions is:
Read: you can open and run anything in the folder, but you can't change anything.
Read/Write: you can add new files or folders, but you can't delete anything.
Modify: you can delete folders or files.
Full Control: you control all security permissions.
There is a more advanced set of permissions available, but unless you really know what you're doing it's best to stick with the basics.
Sent from my BlackBerry using Tapatalk
And depending on the security settings, even if you are logged in as the administrator, you may not be able to change the permissions if the folder was created by a user unless you first take ownership of the folder.
Generally, to ensure that Administrators always have full permissions, they should be set as the owner for all server-side folders.
The other issue comes when UAC is enabled on a server since it means that the file explorer isn't running with admin permissions and will throw all kinds of errors for permissions even when using an administrator account to access a folder. To get around this, it's easier to edit the share when mapped from a separate workstation as opposed to the server itself. Most of our installs are Server Core anyway so there's not many reasons to even log into the server directly.
Sent from my BlackBerry using Tapatalk
Reply With Quote
Bookmarks